b'                                                                    r" ." "; \' \\ \\\n   U\'S\n    i\n   i). _.,_ \xe2\x80\xa2 EIECl\n        .   .\xe2\x80\xa2   , ,"\n              .\'. ~,       ~ .\' iION\'\n                            /"\n                        1 , ,1:\n                                        ,\'"\n                                           ASSISI"\n                                  \'~",j lj_,~ jt\n                                                . I\n                                                ~,\n                                                       r,\n                                                            AN\'CE  I\n                                                                         C,~~\'O\') MMISSION\n                                                                          \',\' , "      .\n                                                                                    ,! ,\' ~ .\n                                                                                       .,\n                                                                                                     ~\n                                                                                               j l \'_,~jJ\n                                                                                                 J       /   ]\n                                                                                                                 1\n                                                                                                                 j   ,J.\',\',                           I .)\n                                                                                                                                                                  ."   !   :\'   I\n\n\n\n\n              OF  ,j .:-~\'FI\'CE\'\n                             J _\'> OF\'\xc2\xb7\' INSPE"\'\n                                              !  .~ ,~ ~ _~ "J I O\n                                                                 \'~~R GE"NERAI\n~ \', ~ ,. -~ _~\n                                    I\n\n                             . u-             i .. ,        1__)   _j J   .. ...J..J        ..                       J _..     \',_) __   _:   J .. .      ".:.!\n\n\n\n\n                                              FINAL EVALUATION REPORT:\n\n   United States Election Assistance Commission\n   Federal Information Security Management Act\n       2008 Independent Evaluation Report\n\n\n\n\nNo. I-EV-EAC-Ol-08\nOCTOBER 2008\n\x0c                           U.S. ELECTION ASSISTANCE COMMISSION \n\n                                    OFFICE OF INSPECTOR GENERAL \n\n                                  1225 New York Ave. NW - Suite 1100 \n\n                                        Washington, DC 20005 \n\n\n\n\n\n                                                                                   October 31, 2008\n\n\nMemorandum\n\nTo: \t        Chair, U.S. Election Assistance Commission\n\nFrom: \t      Curtis W. Crider\n             Inspector General\n\nSubject: \t Final Evaluation Report - United States Election Assistance Commission Federal\n           Information Security Management Act 2008 Independent Evaluation Report\n           (Assignment No. I-EV-EAC-OI-08)\n\n        We contracted with the independent certified public accounting firm of Clifton\nGunderson LLP (Clifton Gunderson) to conduct the subject evaluation. Clifton Gunderson found\nthat the U.S . Election Assistance Commission (EAC) has made progress in educating users\nthrough security and privacy awareness training, and has initiated discussions to develop EAC\nspecific policies related to information system security and privacy. However, additional\nimprovements are needed. The evaluation found that the EAC has not established an information\nsecurity program and has not been proactive in reviewing security controls and identifying areas\nto strengthen this program. In addition, the evaluation found that the EAC was not fully\ncompliant with several provisions of the Privacy Act.\n\n       Please provide us with your written response to the recommendations included in this\nreport by December 1, 2008. Your response should contain information on actions taken or\nplanned, including target dates and titles of EAC officials responsible for implementing the\nrecommendations.\n\n        The legislation, as amended, creating the Office ofInspector General (5 U.S.C. \xc2\xa7 App.3)\nrequires semiannual reporting to Congress on all reports issued, actions taken to implement\nrecommendations, and recommendations that have not been implemented. Therefore, this report\nwill be included in our next semiannual report to Congress.\n\n          If you have any questions regarding this report, please call me at (202) 566-3125.\n\x0c     UNITED STATES ELECTION \n\n     ASSISTANCE COMMISSION \n\n  FEDERAL INFORMATION SECURITY \n\n     MANAGEMENT ACT (FISMA) \n\n\n2008 INDEPENDENT EVALUATION REPORT \n\n            October 2, 2008 \n\n\x0c~ Clifta\n~ Gund~rson LLP\n         Certified Public Accountants & Consultants\n\n\nOctober 2, 2008\n\n\n\nMr. Curtis Crider\nOffice of the Inspector General\nU.S. Election Assistance Commission\n1225 New York Avenue NW, Suite 1100\nWashington, DC 20005\n\nDear Mr. Crider,\n\nWe are pleased to provide the fiscal year (FY) 2008 Office of Inspector General (OIG) response\nto Office of Management and Sudget (OMS) Memorandum M-08-21 , "FY 2008 Reporting\nInstructions for the Federal Information Security Management Act (FISMA) and Agency\nPrivacy Management" and FY 2008 FISMA Independent Evaluation Report, detailing the\nresults of our review of Election Assistance Commission\'s (EAC) information security program.\n\nFISMA requires Inspectors General to conduct annual evaluations of their agency\'s security\nprograms and practices, and to report to OMS on the results of their evaluations. OMS\nMemorandum M-08-21 provides instructions for meeting the FISMA reporting requirements.\n\nWe completed our response to M-08-21 based on our independent evaluation as of September\n12, 2008, subsequent review through the date of this report of documentation supporting the\nsecurity program performance statistics reported by EAC management, and review of Plans of\nAction and Milestones. In preparing our responses, we collaborated with EAC management and\nappreciate their cooperation in this effort.\n\nEAC management has provided Clifton Gunderson LLP with a response (dated September 30,\n2008) to this FISMA 2008 Independent Evaluation Report. Management accepts our findings\nand recommendations and intends to develop an action plan to address these findings.\n\nWe appreciate the opportunity to assist your office with these reports. Should you have any\nquestions please call George Fallon at (301) 931-2050.\n\nVery truly yours,\n\nCLIFTON GUNDERSON LLP\n\n\n\n\nGFF:sgd\n\n\n\n11710 Bcltsvtfle D,ive\nSuite300\nCalVe/to/I, MD 20705-3106\n                                                                                            Memb e r of\ntel: 301-931-2050\nfax: 301-931-1710\n                                                                                            \xe2\x80\xa2             International\nwww.c1iftoncpa.com                                Offices in 17 states and Washington, DC\n\x0c                                          TABLE OF CONTENTS\n\n                                                                                                                          Page\n\nI.     EXECUTIVE SUMMARY ............................................................................................. 1 \n\n\nII.    BACKGROUND........................................................................................................1 \n\n\nIII.   OBJECTIVES .............................................................................................................. 2 \n\n\nIV.    SCOPE AND METHODOLOGY ................................................................................. 2 \n\n\nV.     DETAILS OF RESULTS ............................................................................................. 3 \n\n\n       A. Prior Year Results .................................................................................................. 3 \n\n\n       B. Current Year Results ............................................................................................. 4 \n\n\nVI.    FINDINGS AND RECOMMENDATIONS ................................................................... 5 \n\n\nVII.   ACRONyMS................................................................................................................23 \n\n\x0cI.    EXECUTIVE SUMMARY\n\n      Title III of the E-Government Act (Public Law No. 104-347), also called FISMA, requires\n      agencies to adopt a risk-based, life cycle approach to improving computer security that\n      includes annual security program reviews, independent evaluations by the Inspector\n      General (IG), and reporting to the OMB and the Congress. It also codifies existing policies\n      and security responsibilities outlined in the Computer Security Act of 1987 and the Clinger\n      Cohen Act of 1996.\n\n      Based on the results of our fiscal year (FY) 2008 independent evaluation, we determined\n      that the EAC has not established an information security program and has not been\n      proactive in reviewing security controls and identifying areas to strengthen this program.\n\n      The FY 2007 Pre-FISMA Independent Evaluation Report included six findings, two of which\n      were closed in the current year. The four findings that remain open relate to EAC\'s\n      information system and privacy policies and procedures, agreements with, and oversight of\n      external service providers. EAC has made progress in educating users through security\n      and privacy awareness training, and has initiated discussions to develop EAC specific\n      policies and procedures relating to information system security and privacy.\n\n      We are reporting nine findings for FY 2008.\n\nII.   BACKGROUND\n\n      The EAC was established by the Help America Vote Act of 2002 (HAVA). Central to its role,\n      EAC serves as a national clearinghouse and resource for information and review of\n      procedures with respect to the administration of Federal elections. According to the text of\n      HAVA, the law was enacted to:\n\n        " ... establish a program to provide funds to states to replace punch card voting systems,\n        to establish the Election Assistance Commission in the administration of Federal\n        elections and to otherwise provide assistance with the administration of certain Federal\n        election laws and programs, to establish minimum election administration standards for\n        states and units of local government with responsibility for the administration of Federal\n        elections, and for other purposes."\n\n      HAVA requires the EAC to:\n\n      \xe2\x80\xa2 \t Generate technical guidance on the administration of federal elections.\n      \xe2\x80\xa2 \t Produce voluntary voting systems guidelines.\n      \xe2\x80\xa2 \t Research and report on matters that affect the administration of federal elections.\n      \xe2\x80\xa2 \t Provide information and guidance with respect to laws, procedures, and technologies\n          affecting the administration of Federal elections.\n      \xe2\x80\xa2 \t Administer payments to states to meet HAVA requirements.\n      \xe2\x80\xa2 \t Provide grants for election technology development and for pilot programs to test\n          election technology.\n      \xe2\x80\xa2 \t Manage funds targeted to certain programs designed to encourage youth participation in\n          elections.\n      \xe2\x80\xa2 \t Develop a national program for the testing, certification, and decertification of voting\n          systems. Maintain the national mail voter registration form that was developed in\n\n\n\n                                                    1\n\x0c       accordance with the National Voter Registration Act of 1993 (NVRA), report to Congress\n       every two years on the impact of the NVRA on the administration of Federal elections,\n       and provide information to states on their responsibilities under that law.\n   \xe2\x80\xa2 \t Audit persons who received federal funds authorized by HAVA from the General\n       Services Administration (GSA) or the EAC.\n   \xe2\x80\xa2 \t Submit an annual report to Congress describing EAC activities for the previous fiscal\n       year (FY).\n\n   Through FISMA, the U.S. Congress showed its intention to enhance the management and\n   promotion of electronic government services and processes. Its goals are to achieve more\n   efficient government performance, increase access to government information, and\n   increase citizen participation in government. FISMA also provides a comprehensive\n   framework for ensuring the effectiveness of security controls over information resources\n   that support federal operations and assets. It also codifies existing policies and security\n   responsibilities outlined in the Computer Security Act of 1987 and the Clinger Cohen Act of\n   1996.\n\n   The EAC Office of the Inspector General (OIG) contracted with Clifton Gunderson LLP to\n   conduct EAC\'s FY 2008 FISMA Independent Evaluation. We performed this evaluation in\n   conjunction with our review of information security controls required as part of the annual\n   financial statement audit.\n\nIII. OBJECTIVES\n\n   The purpose of this evaluation was to assess the effectiveness of EAC\'s information\n   security program and practices and to determine compliance with the requirements of\n   FISMA and related information security policies, procedures, standards, and guidelines.\n\nIV. SCOPE & METHODOLOGY\n\n   To perform our review of EAC\'s security program, we followed a work plan based on the\n   National Institute of Standards and Technology (NIST),s Recommended Security Controls\n   for Federal Information Systems - Special Publication (SP) 800-53 for specification of\n   security controls and NIST SP 800-37 Guide for the Security Certification and Accreditation\n   of Federal Information Systems and 800-53A Guide for Assessing the Security Controls in\n   Federal Information Systems for the assessment of security control effectiveness, and the\n   Government Accountability Office (GAO)\'s Federal Information System Controls Audit\n   Manual (FISCAM: GAO/AIMD-12.19.6), and our general controls review methodology. The\n   combination of these methodologies allowed Clifton Gunderson LLP to meet the\n   requirements of both FISMA and the Chief Financial Officer (CFO)\'s Act. In addition, our\n   evaluation was conducted in accordance with the January 2005, Quality Standards for\n   Inspections, issued by the President\'s Council on Integrity and Efficiency.\n\n   Our procedures included following-up on recommendations made in the FY 2007 Pre\xc2\xad\n   FISMA Independent Evaluation Report; performing internal and external security reviews of\n   EAC\'s information technology (IT) infrastructure; reviewing agency Plans of Action and\n   Milestones (POA&Ms); and evaluating EAC\'s major systems.\n\n   We performed procedures to test (1) EAC\'s implementation of an entity-wide security\n   plan, and (2) operational and technical controls specific to each application such as\n   service continuity, logical access, and change controls. We also performed targeted\n\n\n\n                                             2\n\n\x0c     tests of controls over financial processing applications and processes. We\n     performed our review from August 1, 2008 to September 12, 2008 at EAC\'s\n     headquarters in Washington, District of Columbia.\n\n     EAC management and staff were very helpful and accommodating throughout this\n     review and assisted us in refining the recommendations. This independent evaluation\n     was prepared based on information available as of September 12, 2008.\n\nV.   DETAILS OF RESULTS\n\n     A.    Prior Year Results\n\n           The FY 2007 Pre-FISMA Independent Evaluation Report identified six findings,\n           reported as other weaknesses (Le., not significant to be reported as a significant\n           deficiency in accordance with OMB classification guidelines). The following table\n           summarizes the findings reported in FY 2007 and their current status.\n\n                                                                                   Current\n                 #                                 Title                           Status\n             FY07-01     EAC does not have an inventory of all the                 Open\n                         systems/applications used by GSA to support the\n                         operations of EAC. GSA utilizes a suite of applications\n                         for the various services it provides EAC, like CHRIS\n                         for HR management and Pegasys\xc2\xae, a commercial-off\xc2\xad\n                         the-shelf product for financial management and\n                         reporting.\n\n             FY07-02     The Memorandum of Understanding (MOU) does not            Closed\n                         provide guidance on EAC\'s responsibilities with\n                         respect to data integrity and completeness. EAC\n                         prepares manual vouchers and transmits these to\n                         GSA for input. The responsibilities of each party are\n                         not spelled out in the MOUs. We did not see evidence\n                         of the existence of an Interconnection Security\n                         Agreement (ISA) or evidence that the EAC concerns\n                         were addressed in a timely manner by the service\n                         provider.\n\n             FY07-03    "tAC has not developed any policies or procedures for      Open\n                        information security or privacy management. Per the\n                        terms of the MOU, the GSA procedures will prevail\n                        where there are no guiding policies provided by the\n                         user organization.\n\n             FY07-04     There is no evidence that employees and contractors       Closed\n                         of EAC have received Security Awareness Training.\n\n             FY07-05     Only the OIG and its contractors have signed the          Closed\n                         Rules of Behavior Governing Acceptable Use of\n                         Federal Information System Resources policy.\n\n\n\n                                              3\n\n\x0c                                                                             Current\n          #                                  Title                           Status\n      FY07-06      Inadequacies were noted related to personnel security     Open\n                   practices at EAC\'s service provider (GSA). The GSA\n                   OIG has reported several cases of non-compliance\n                   with background investigations for GSA\'s contract\n                   personnel supporting GSA systems. This weakness\n                   may potentially impact the integrity of EAC systems.\n\n\nB.   Current Year Results\n\n     In FY 2008, EAC addressed our recommendation related to security awareness\n     training by rolling out a separate privacy and information security training course\n     which includes a test of the user\'s knowledge of key concepts, a minimum passing\n     score and mandate to complete the course and provide the completion certificate to\n     management.\n\n     We identified six new findings during the FY 2008 review within the following table\n     summary.\n\n      Finding\n      Number                             Title                              Comments\n       FY08-01    An agency-wide information security program in           None\n                  compliance with FISMA, has not been developed.\n\n       FY08-02    A security management structure with adequate            None\n                  independence, authority, and expertise which is\n                  assigned in writing has not been implemented.\n\n       FY08-03    A Certification and Accreditation (C&A), formal Risk     None\n                  Assessment, security plan or Security Test and\n                  Evaluation (ST&E) of its local area network and\n                  website general support systems has not been\n                  completed/developed.\n\n       FY08-04     EAC is not fully compliant with several Privacy Act None\n                 . Requirements, including:\n                   - A Chief Privacy Officer with the responsibility for\n                      monitoring and enforcing privacy related policies\n                      and procedures has not been designated\n                   - EAC has not identified systems housing\n                      personally identifiable information or conducted\n                      related Privacy Impact Assessments (PIA\'s) as\n                      required     by OMB         Memorandum      06-16,\n                      Requirements        for    Protecting   Personally\n                      Identifiable Information.\n                    - EAC has not developed formal policies that\n                      address the information protection needs\n                      associated       with     personally   identifiable\n\n\n\n                                        4\n\x0c         Finding\n         Number                              Title                            Comments\n                         information (PII) that is accessed remotely or\n                         physically removed.\n\n          FY08-05    Weaknesses noted in our review of the independent       Repeat of\n                     third party information security examinations and       prior year\n                     inspections, are not monitored by EAC within the        finding FY07\xc2\xad\n                     GSAPOA&M.                                               06\n\n          FY08-06    Policies or procedures for information security or      Repeat of\n                     privacy management have not been developed. Per         prior year\n                     the terms of the MOU, the GSA procedures will           finding FY07\xc2\xad\n                     prevail where there are no guiding policies provided    03\n                     by the user organization.\n\n          FY08-07 A formal incident response capability has not been         None\n                  established.\n\n          FY08-08 A Continuity of Operations Plan (COOP), Disaster           None\n                  Recovery Plan (DRP) or Business Impact\n                  Assessment (BIA) has not been developed.\n\n          FY08-09    EAC does not have an inventory of all the systems/      Repeat of\n                     applications used by GSA to support the operations      prior year\n                     of EAC, or formally identified major applications and   finding FY07\xc2\xad\n                     general support systems.                                01\n\n\n         The details of our findings and recommendations follow.\n\n\nVI. FINDINGS AND RECOMMENDATIONS\n\n   FY08-01 \t An agency-wide information security program in compliance with FISMA,\n             has not been developed,\n\n           Based upon discussions with EAC management and review of provided\n           documentation we determined that EAC has not developed, documented or\n           implemented the following in accordance with FISMA:\n\n                Periodic assessments of risk, including the magnitude of harm that could\n                result from the unauthorized access, use, disclosure, disruption,\n                modification, or destruction of information and information systems that\n                support the operations and assets of the agency;\n\n                Policies and procedures that are based on risk assessments, cost\xc2\xad\n                effectively reduce information security risks to an acceptable level, and\n                ensure that information security is addressed throughout the life cycle of\n                each agency information system;\n\n\n\n                                            5\n\x0c    Subordinate plans for providing adequate information security for networks,\n    facilities, information systems, or groups of information systems, as\n    appropriate;\n\n    Periodic testing and evaluation of the effectiveness of information security\n    policies, procedures, practices, and security controls to be performed with a\n    frequency depending on risk, but no less than annually;\n\n    A process for planning, implementing, evaluating, and documenting\n    remedial actions to address any deficiencies in the information security\n    policies, procedures, and practices of the agency;\n\n    Procedures for detecting, reporting, and responding to security incidents;\n    and,\n\n    Plans and procedures to ensure continuity of operations for information\n    systems that support the operations and assets of the agency. We\n    determined a disaster recovery plan is in development.\n\nThe E-Government Act (Public Law 107-347) Title III, entitled FISMA, requires\neach federal agency to develop, document, and implement an agency-wide\ninformation security program to provide information security for the information\nand information systems that support the operations and assets of the agency,\nincluding those provided or managed by another agency, contractor, or other\nsource. The information security program must include:\n\n    Periodic assessments of risk, including the magnitude of harm that could\n    result from the unauthorized access, use, disclosure, disruption,\n    modification, or destruction of information and information systems that\n    support the operations and assets of the agency;\n\n    Policies and procedures that are based on risk assessments, cost\xc2\xad\n    effectively reduce information security risks to an acceptable level, and\n    ensure that information security is addressed throughout the life cycle of\n    each agency information system;\n\n    Suborginate plans for providing adequate information security for networks,\n    facilities, information systems, or groups of information systems, as\n    appropriate;\n\n     Security awareness training to inform personnel (including contractors and\n     other users of information systems that support the operations and assets of\n     the agency) of the information security risks associated with their activities\n     and their responsibilities in complying with agency policies and procedures\n     designed to reduce these risks;\n\n     Periodic testing and evaluation of the effectiveness of information security\n     policies, procedures, practices, and security controls to be performed with a\n     frequency depending on risk, but no less than annually;\n\n\n\n                                 6\n\x0c     A process for planning, implementing, evaluating, and documenting\n     remedial actions to address any deficiencies in the information security\n     policies, procedures, and practices of the agency;\n\n     Procedures for detecting, reporting, and responding to security incidents;\n     and,\n\n     Plans and procedures to ensure continuity of operations for information\n     systems that support the operations and assets of the agency.\n\nOMB Circular No A-130 Appendix III states: \'Agencies shall implement and\nmaintain a program to assure that adequate security is provided for all agency\ninformation collected, processed, transmitted, stored, or disseminated in general\nsupport systems and major applications\'.\n\nNIST Special Publication 800-18 states:\' All information systems must be\ncovered by a system security plan and labeled as a major application or general\nsupport system\'.\n\nRecommendation\nWe recommend EAC management continue ongoing efforts and implement a\nformal agency-wide security program plan in line with OMS A-130 Appendix III,\nNIST Special Publication 800-18 and FISMA.\n\nEAC Management\'s Response\nCurrently, EAC has procured a contractor to assist with the agency\'s strategies to\nbecome compliant with OMS A-130, NIST special Publication 800-18 and\nFISMA. These measures include completion of a certification and accreditation\nof support systems, System Security Plans and practices and procedural guides\nand documentation that will address the following issues noted in the condition\nabove:\n\n\xe2\x80\xa2\t    Periodic assessments of risks\n\xe2\x80\xa2\t    Policies and procedures that are based on risk assessments\n\xe2\x80\xa2\t    Periodic testing and evaluation of the effectiveness of information security\n      policies, procedures, practices, and security controls\n\xe2\x80\xa2\t    A process for planning, implementing, evaluating, and documenting\n      remedial actions to address any deficiencies in the information security\n      policies, procedures, and practices of the agency\n\xe2\x80\xa2\t    Procedures for detecting, reporting, and responding to security incidents\n\xe2\x80\xa2\t    Plans and procedures to ensure continuity of operations\n\xe2\x80\xa2\t    Subordinate plans for providing adequate information security for Support\n      systems\n\nThough EAC\'s process is informal considering the lack of documentation and\nprocedural guides, a contingency plan exists for GSA systems which include\nEAC. As a result, EAC would be effectively operational in the event of a minor or\nmajor disaster. EAC currently has a draft of recommendations for a COOP plan\nwhich will be addressed during the agencies efforts to be in compliance with\nOMS Circular A-130, NIST special Publication 800-18 and FISMA.\n\n\n\n                                 7\n\n\x0c        In the event of a security incident, EAC follows GSA\'s CIO-IT Security-01-02 in\n        the Handling IT Security Incidents Procedural Guide.\n\n\n\nFY08\xc2\xb702 A security management structure with adequate independence, authority,\n        and expertise has not been implemented.\n\n        OMB Circular No A-130 Appendix 1/1 states: \'Assign responsibility for security in\n        each system to an individual knowledgeable in the information technology used\n        in the system and in providing security for such technology\'.\n\n        \'For each system, an individual should be a focal point for assuring there is\n        adequate security within the system, including ways to prevent, detect, and\n        recover from security problems. That responsibility should be assigned in writing\n        to an individual trained in the technology used in the system and in providing\n        security for such technology, including the management of security controls such\n        as user identification and authentication.\'.\n\n        Recommendation\n        We recommend EAC management assign responsibility for the security\n        management function to an individual with the oversight responsibility over the\n        security management structure. The individual should have the expertise and\n        independence to enforce security policies.\n\n        EAC Management\'s Response\n        GSA provides IT infrastructure support systems and services to the EAC. Within\n        this support provided, EAC adheres to all rules, laws, policies, regulations,\n        guidelines and plans set forth by GSA. EAC has not documented nor has\n        formally implemented a security management structure or assigned any security\n        roles. EAC operates within GSA\'s security controls. In the lack thereof, EAC has\n        authorized an on site IT specialist to work with GSA to address security issues.\n        Due to limited human resources, we have not been able to monitor GSA\'s\n        security structure and plan. To address staffing and role assignment issues,\n        EAC has strategically engaged in the process of having a contractor recommend\n        and assist with the delegation and designation of security roles. EAC has also\n        interviewedtor a position in the IT division.\n\n        Currently, EAC is in the process of having a contractor assist with the Agency\'s\n        strategies to become compliant with OMS A-130, NIST special Publication 800\xc2\xad\n        18 and FISMA. This will include completion of a C&A of support systems,\n        System Security Plans and Practices and procedural guides and documentation.\n\n\n\n\n                                         8\n\x0cFY08\xc2\xb703 A Certification and Accreditation (C&A), formal Risk Assessment, security\n        plan or Security Test and Evaluation (ST&E) of its local area network and\n        website general support systems has not been completed/developed.\n\n        N/ST Special Publication 800-37 requires agencies to perform certification and\n        accreditation of its major applications or general support system at least once\n        every three years or when there is a significant change in the IT operating\n        environment.\n\n        A C&A is required for all Federal information systems as indicated within Section\n        3544(b)(3) of FISMA. This section refers to "subordinate plans for providing\n        adequate information security for networks, facilities, and systems or groups of\n        information systems" and does not distinguish between major or other\n        applications.\n\n        Supplementing the above considerations, mandatory NIST Federal Information\n        Processing Standards (FIPS) 199, Standards for Security Categorization of\n        Federal Information and Information Systems, defines security categories for\n        information systems based on potential impact on organizations or individuals\n        should there be a breach of security-that is, a loss of confidentiality, integrity\n        (including authenticity and non-repudiation), or availability. FIPS 199 security\n        categories can play an important part in defining accreditation boundaries by\n        partitioning the agency\'s information systems according to the criticality or\n        sensitivity of the systems and the importance of those systems in accomplishing\n        the agency\'s mission. The partitioning process facilitates the cost-effective\n        application of security controls to achieve adequate security commensurate with\n        the mission/business functions being supported by the respective information\n        systems.\n\n        N/ST Special Publication 800-53 Rev 2 (RA-3) states: \'The organization conducts\n        assessments of the risk and magnitude of harm that could result from the\n        unauthorized access, use, disclosure, disruption, modification, or destruction of\n        information and information systems that support the operations and assets of\n        the agency (including information and information systems managed/operated by\n        external parties)\'.\n\n        Recommendations\n        We recommend EAC management:\n\n        \xe2\x80\xa2 \t Continue with ongoing efforts and conduct certification and accreditation of its\n            general support system.\n        \xe2\x80\xa2 \t Implement a risk assessment policy to require risk assessments to be\n            performed periodically or when there is a significant change in the IT\n            operating environment.\n\n         EAC Management\'s Response\n         In agreement, EAC has not performed the following on its local area network and \n\n         website general support: \n\n         1      Certification and Accreditation (C&A) \n\n         2.     Formal risk assessment\n\n\n                                         9\n\x0c       3.      Security plan\n       4.      System Testing & Evaluation\n\n       The website and local area network are supported by two different parties. The\n       LAN is supported by GSA and the website is supported by Humanitas, a\n       contracted company.\n\n       GSA provides IT infrastructure support services to the EAC. Within this support\n       provided, EAC adheres to all rules, laws, regulations and plans set forth by GSA.\n\n       Currently, EAC is in the process of procuring a contractor to assist with the\n       completion of a C&A that addresses all four issues mentioned above.\n       Documentation was provided to CG on this.\n\n       In section 10 of GSA Responsibilities in the MOU between GSA and EAC, it\n       indicates that EAC will fall under the FY08 System Security Plan (SSP) for GSA.\n       Though EAC currently does not have an SSP of it\'s own, it informally has one via\n       GSA\'s SSP.\n\n\nFY08-04 \tEAC is not fully compliant with several Privacy Act Requirements,\n         including:\n\n       \xe2\x80\xa2 \t A Chief Privacy Officer with the responsibility for monitoring and\n           enforcing privacy related policies and procedures has not been\n           designated.\n       \xe2\x80\xa2 \t EAC has not identified systems housing personally identifiable\n           information or conducted related PIA\'s.\n       \xe2\x80\xa2 \t EAC has not developed formal policies that address the information\n           protection needs associated with PII that is accessed remotely or\n           physically removed.\n\n        We reviewed EAC\'s compliance with privacy protection of PI! and determined\n        that EAC has temporarily assigned Privacy Officer duties to the Human Resource\n        Specialist.\n\n        We noted the 2008 FISMA Review performed for the GSA does not specify\n        which systems were covered by this review. The FISMA template lists GSA\n        systems by region and bureau [rather than by the system name] making it difficult\n        to determine if EAC supported systems were part of this review. EAC does not\n        have an inventory of systems covered by the FISMA evaluation and in which\n        bureau or region these systems are located, or performed a PIA on systems\n        identified as containing EAC PI!.\n\n        OMB M-06-16 states that: Verify information categorization to ensure\n        identification of personally identifiable information requiring protection when\n        accessed remotely or physically removed. The purpose is to review the Federal\n        Information Processing Standards (FIPS) Publication No. 199 security\n        categorization of organizational information with the focus on remote access and\n        physical removal. The intent is to ensure all personally identifiable information\n        through which a moderate or high impact might result has been explicitly\n\n\n                                        10\n\x0cidentified. For example, databases where the loss, corruption, or unauthorized\naccess to personally identifiable information contained in the databases could\nresult in a serious adverse effect, with widespread impact on individual privacy\nbeing one area of specific concern.\n\nNIST Special Publication 800-53 Rev 2 (PL-5) states: \'The organization conducts\na privacy impact assessment on the information system in accordance with OMB\npolicy\'.\n\nOMB Circular M-06-16 \'Protection of Sensitive Agency Information\' requires\nagencies to implement organizational policy that addresses the information\nprotection needs associated with personally identifiable information that is\naccessed remotely or physically removed\'.\n\nWe reviewed the critical elements required of government agencies and\norganizations in FY 2006 and noted EAC \'s level of compliance. The following\nquestions were extracted from the Data Collection Instrument issued by the\nPCIE. For purposes of this assessment, we extracted high-level questions only.\nOur results are documented in the following table.\n\n                                 Yes, No,\n                                  Partial,\n                                    Not\n   Ref       Control Step       Applicable       Clifton Gunderson Comments\n Step 1     Has EAC             Partial      Although EAC has not received an\n            confirmed                        inventory of all systems used by GSA\n            identification of                to support he EAC\'s activities, it has\n            personally                       however identified the need to protect\n            identifiable                     all portable computers accessing\n            information                      EAC data. To achieve this goal,\n            protection                       management has affirmed that EAC\n            needs? If so to                  has procured "Credant" encryption\n            what level?                      software. We noted during the period\n                                             of our audit that about 70% percent\n                                             of all EAC computers have been\n                                             encrypted with the Credent\n                                             Encryption software. We randomly\n                                             selected five (5) laptops to determine\n                                             if they are encrypted.\n\n                                             EAC has identified that Pegasys,\n                                             FMIS and CHRIS are the GSA\n                                             owned systems that contain EAC\'s\n                                             personally identifiable information.\n\n Step 2     Has EAC             Partial      Administrative policies have been\n            verified the                     developed addressing employee\n            adequacy of                      conduct and hiring procedures.\n            organizational                   However, EAC has still not identified\n            policy? If so, to                security policies and procedures.\n            what level?\n\n\n                                  11\n\x0cStep 3     Has EAC              Partial   See Step 1 above. EAC has procured\n           implemented                    encryption software to protect\n           protections for                information being transported and/or\n           personally                     stored off-site; We noted during the\n           identifiable                   period of our audit that approximately\n           information                    70% percent of all EAC computers\n           being                          have been encrypted with the\n           transported                    Credent Encryption software. We\n           and/or stored                  randomly selected five (5) laptops to\n           offsite? If so, to             determine if they are encrypted.\n           what level.\n                                          We noted that EAC issued\n                                          blackberries are not currently\n                                          encrypted with the Credent\n                                          encryption software.\n\nStep 4     Has EAC              Partial   The IG\'s office has signed the GSA\'s\n           implemented                    Riles of Behavior policy establishing\n           protections for                acceptable use of government\n           remote access                  information resources including\n           to personally                  downloading software, improper web\n           identifiable                   access, etc. EAC\'s rules of behavior\n           information? If                are currently incorporated into the\n           so to what                     EAC Security Awareness and Privacy\n           level.                         Training programs.\n\n                                          EAC has not conducted a risk\n                                          assessment that address the risk\n                                          associated with download, remote\n                                          access, or other removal or PII from\n                                          each system containing PII.\n\n                                          Virtual Private Network (VPN) use\n                                          has been granted to a selected few\n                                          individuals. We selected a sample of\n                                          five (5) VPN users to determine if\n                                          their accesses are appropriately\n                                          authorized without exception.\n\n                                          EAC does not have Plan of Actions\n                                          and Milestones (PO & M) for\n                                          developing and implementing\n                                          protection of sensitive information.\n\nSect 2.1   Has the              Partial   We noted during the period of our\n           Agency                         audit that approximately 70% of all\n           encrypted all                  EAC computers have been encrypted\n           data on mobile                 with the Credent Encryption software.\n           computers/devi                 We randomly selected five (5)\n           ces which                      laptops to determine if they are\n           carrv aQency                   encrypted.\n\n\n                                  12\n\x0c           data unless the\n           data                           We noted that EAC issued\n           determined to                  blackberries or portable memory\n           be non-                        sticks are not currently encrypted\n           sensitive, in                  with the Credent encryption software.\n           writing by\n           Agency Deputy\n           Secretary or\n           an individual\n           he/she may\n           designate in\n           writin~17\nSect 2.2   Does the          No           We did not see evidence of major\n           agency use                     steps and milestones directed at\n           remote access                  implementing two-factor\n           with two-factor                authentication.\n           authentication\n           where of the\n           factors is\n           provided by a\n           device\n           separate from\n           the computer\n           gaining\n           access?\nSect 2.3 Does the            Partial      EAC has implemented a "time-out"\n           Agency use a                   function for EAC desktops, laptops\n           "time-out"                     and VPN access requiring user re-\n           function for                   authentication after 30 minutes of\n           remote access                  inactivity.\n           and mobile\n           devices\n           requiring user\n           re-\n           authentication\n           after 30\n           minutes of\n         . inactivity?\nSect 2.4 Does the            No           EAC does not own or operate any\n           Agency log all                 information systems that contain\n           computer-         Not          sensitive information. All identified\n           readable data     Applicable   systems, Pegasys, FMIS and CHRIS\n           extracts from                  are owned and managed by GSA.\n           databases\n           holding                        EAC has not defined which systems\n           sensitive                      should be logged and the nature of\n           information                    activity to be logged and reported by\n           and verifies                   its service provider.\n           each extract\n           including\n           sensitive data\n\n\n                               13\n\x0c            has been\n            erased within\n            90 days or its\n            use is still\n            required?\nSTEP        Has the           Partial       EAC has not documented procedures\n5           Agency                          to follow when responding to a\n            implemented                     breach of PI!. However,EAC follows\n            provisions of                   GSA policies which require the report\n            OMB M07-16                      of a breach within the first hour after\n            of May 22,                      the incident occurred. EAC is also\n            2007,                           required to fill out a GSA incident\n            "Safeg uarding                  report to describe the event and\n            Against and                     provide any other details.\n            Responding to\n            the Breach of\n            PII"\n\nRecommendations\nWe recommend EAC management:\n\n1) Designate a Chief Privacy Officer or formally appoint an individual with the\n   responsibility of monitoring and enforcing privacy related policies and\n   procedures. Privacy responsibilities should be added to the position\n   description (PO) of this assigned individual.\n\n2) Develop an understanding of which EAC systems are covered by GSA\'s\n   FISMA review rotation plan. Consequently, EAC should request from the\n   service provider their systems review rotation schedule and note which\n   systems are covered in each year\'s rotation. For fiscal years where EAC\n   systems are not covered GSA should grant EAC access to review these\n   systems to comply with FISMA requirements.\n\n3) Develop and implement formal policies that address the information protection\n   needs associated with PII when it is either accessed remotely or physically\n   removed from EAC controlled areas.\n\nEAC Management\'s Response\n1) EAC is currently researching this issue. Due to the fact that the EAC is a small\n   agency with limited human resources and capital, EAC needs to verify that the\n   current \'Acting Privacy Officer\' can formally be appointed Chief Privacy Officer\n   due to the multiple roles and assignments that the person formally has.\n\n  Currently, EAC is in the process of formally identifying a Privacy Officer. In the\n  interim, The Human Resources Division informally executes the roles and\n  responsibilities of a Privacy Officer and daily ensures that PII is not\n  compromised.\n\n2) Currently, EAC has procured a contractor to assist with the Agency\'s\n   strategies to meet compliancy for OMB A-130, NIST special Publication 800\xc2\xad\n   18 and FISMA. This will include completion of a C&A of support systems,\n\n\n                                 14\n\x0c          System Security Plans and Practices and procedural guides and\n          documentation. Also, EAC is currently waiting for a reply from GSA on which\n          systems are identified in the FISMA 2008 review.\n\n        3) A Privacy Impact Assessment will be completed as EAC moves forward to\n           become compliant with FISMA. This would address compliancy as required by\n           OMB memorandum 06-16, requirements for protecting personally identifiable\n           information (PII).\n\n          GSA provides IT infrastructure and some resource support that contains\n          Personally Identifiable Information. EAC adheres to all rules, laws, policies\n          and regulations in regards to the access, handling and protection of personally\n          identifiable information set forth by GSA.\n\n          At present, EAC is in the process of procuring a contractor assist with the\n          design construction and implementation of policies to address personally\n          identifiable information.\n\n          In 2006, EAC purchased software and server licenses in a joint attempt with\n          GSA to encrypt all workstations and mobile devices. Included in the plan was\n          a pilot test group which EAC users and EAC OIG were to participate in.\n          Before the software and encryption server were deployed, GSA put a stop to\n          the program due to issues found during the testing phase. This issue was\n          addressed when OMB/NIST made changes to the compliancy requirements for\n          vulnerabilities in 2007. GSA was to follow a hardening guide that addressed\n          the found vulnerabilities and apply the changes to their image before February\n          of 2008. In January of 2008, GSA released an image addressing those\n          vulnerabilities and it included encryption software. EAC has updated all but 3\n          workstations with the latest image provided by GSA which includes the\n          encryption software. The name of the encryption software is credent v5.\n          Currently, all but 3 workstations are encrypted with this software to address\n          PII. The remaining 3 workstations will be completed by 12/15/2008.\n\n\nFY08-05 Weaknesses noted in our review of the independent third party information\n        security examinations and inspections, are not monitored by EAC within\n        the GSA POA&M. (Re-Issued)\n\n        Based upon discussions with management, we determined that EAC does not\n        monitor or follow up on weaknesses noted in third party security examinations\n        within a POA&M.\n\n        Based upon a review of the Memorandum of Understanding (MOU) between\n        GSA and EAC (signed 3/6/08), GSA is responsible for making available the\n        FISMA report, FISMA audit action plan and POA&M. The POA&M will be made\n        available on a quarterly basis.\n\n        GSA reviews its IT systems in a cyclical manner and systems used to service\n        EAC and other agencies are subject to an annual SAS 70 review.\n\n        Based upon our review of the GSA SAS70 "Pegasys Financial Management\n\n\n                                        15 \n\n\x0cSystem" for the period 7/1/07 through 6/30/08, the following weaknesses were\nidentified:\n\n\xe2\x80\xa2 \t Approval for user access was not consistently documented or evidence of the\n    review of operating system failed logins was not available, and multiple\n    exceptions in the effectiveness of logical access controls specifically within\n    the UNIX and Windows server configurations existed.\n\n\xe2\x80\xa2 \t One individual had access to the source code as well as the ability to move\n    program changes into the production environment.\n\nBased upon our review of the GSA SAS70 "Payroll Accounting & Reporting\nSystem (PAR)" for the period 7/1/07 through 6/30/08, the following weaknesses\nwere identified:\n\n\xe2\x80\xa2 \t Documentation of the testing and approval of emergency changes was not\n    completed by the close of the next business day following the change, as\n    required by GSA policy.\n\n\xe2\x80\xa2 \t Evidence of approval for specific roles granted to users of the operating\n    system software was not consistently available, and that evidence of testing\n    and approval for operating system software modifications was not\n    consistently available.\n\nIn accordance with the provisions of the OMB, Memorandum M-06-20 dated July\n17, 2006, GSA should perform a complete FISMA review of all systems used in\nsupporting other agencies for these user agencies to meet their FISMA\nrequirement. " ... FISMA requires annual reviews and reporting of all systems,\nincluding National Security Systems ...". FISMA Section 3544(b) (5) " ... all\ninformation systems used or operated by the agency or by a contractor of an\nagency or other organization on behalf of an agency must be tested at least\nannually...""\n\nNlST Special Publication 800-53 Rev 2 (CA-5) states: \'The organization develops\nand updates [Assignment: organization-defined frequency}, a plan of action and\nmilestones for the information system that documents the organization\'s planned,\nimplemented, and evaluated remedial actions to correct deficiencies noted during\nthe assessment of the security controls and to reduce or eliminate known\nvulnerabilities in the system\'.\n\nPer FISMA M08-21 guidance, "The agency is responsible for ensuring the\ncontractor corrects weaknesses discovered through self-assessments and\nindependent assessments. Any weaknesses are to be reflected in the agency\'s\nPOA&M."\n\n"Agencies are fully responsible and accountable for ensuring all FISMA and\nrelated policy requirements are implemented and reviewed and such must be\nincluded in the terms of the contract. Agencies must ensure identical, not\n"equivalent," security procedures. For example, annual reviews, risk\n\n\n\n\n                                16\n\x0cassessments, security plans, control testing, contingency planning, and C&A\nmust, at a minimum, explicitly meet guidance from NIST. "\n\nAgencies and IGs should to the maximum extent practicable, consult with other\nagencies using the same service provider, share security review results, and\navoid the unnecessary burden on the service provider and the agencies resulting\nfrom duplicative reviews and re-reviews. Additionally, provided they meet FISMA\nand policy requirements, agencies and IGs should accept all or part of the results\nof industry-specific security reviews performed by an independent auditor on the\ncommercial service provider.\n\nIn the case of agency service providers, they must work with their customer\nagencies to develop suitable arrangements for meeting all of FISMA\'s\nrequirements, including any special requirements for one or more particular\ncustomer agencies. Any arrangements should also provide for an annual\nevaluation by the IG of one agency. Thereafter, the results of that IG evaluation\nwould be shared with all customer agencies and their respective IGs.\n\nPer FISMA M08-21 guidance, reporting instruction guidance, agency POA&Ms\nmust:\n\n1) \t Be tied to the agency\'s budget submission through the unique project\n     identifier of a system. This links the security costs for a system with the\n     security performance of a system.\n\n2) \t Include all security weaknesses found during any other review done by, for,\n     or on behalf of the agency, including GAO audits, financial system audits,\n     and critical infrastructure vulnerability assessments. These plans should be\n     the authoritative agency-wide management tool, inclusive of all evaluations.\n\n3) \t Be shared with the agency IG to ensure independent verification and\n     validation of identified weaknesses and completed corrective actions.\n\n4) \t Be submitted to OMB upon request.\n\nRecommendations\nWe recommend EAC management:\n\n\xe2\x80\xa2\t   Request from GSA their systems review rotation plan and note which EAC\n     support systems are covered by each rotation [by FY]. For FYs where EAC\n     systems are not covered, GSA should grant EAC access to review these\n     systems to comply with FISMA Section 3544.\n\n\xe2\x80\xa2\t   Obtain from GSA its POA&M to address security weaknesses identified in:\n     (1) the SAS 70 review of the Heartland Finance Center; (2) the GSA OIG\'s\n     2008 FISMA Report and (3) any other security-related reviews it may have\n     performed on EAC support systems.\n\nEAC Management\'s Response\nCurrently, EAC has procured a contractor to assist with the agency\'s strategies to\nbecome compliant with OMB A-130, NIST special Publication 800-18 and\n\n\n                                17\n\x0c        FISMA. These measures include completion of a certification and accreditation\n        of support systems, System Security Plans and Practices and procedural guides\n        and documentation that will address the following issues noted in the condition\n        above:\n\n        \xe2\x80\xa2\t    Periodic assessments of risks\n        \xe2\x80\xa2\t    Policies and procedures that are based on risk assessments\n        \xe2\x80\xa2\t    Periodic testing and evaluation of the effectiveness of information security\n              policies, procedures, practices, and security controls\n        \xe2\x80\xa2\t    A process for planning, implementing, evaluating, and documenting\n              remedial actions to address any deficiencies in the information security\n              policies, procedures, and practices of the agency\n        \xe2\x80\xa2\t    Procedures for detecting, reporting, and responding to security incidents\n        \xe2\x80\xa2\t    Plans and procedures to ensure continuity of operations\n        \xe2\x80\xa2\t    Subordinate plans for providing adequate information security for Support\n              systems\n\nFY08-06 Policies or procedures for information security or privacy management\n        have not been developed. Per the terms of the MOU, the GSA procedures\n        will prevail where there are no guiding policies provided by the user\n        organization. (Re-Issued)\n\n        Since the pre-FISMA assessment in 2007, EAC\'s information security awareness\n        and privacy training programs and content make references to applicable GSA\n        policies (in the absence of corresponding EAC policies and procedures).\n\n        The E-Government Act (Public Law 107-347) Title III, entitled the FISMA,\n        requires each federal agency to develop, document, and implement an agency\xc2\xad\n        wide information security program to provide information security for the\n        information and information systems that support the operations and assets of the\n        agency, including those provided or managed by another agency, contractor, or\n        other source. The information security program must include:\n\n             Periodic assessments of risk, including the magnitude of harm that could\n             result from the unauthorized access, use, disclosure, disruption,\n             modification, or destruction of information and information systems that\n             support the operations and assets of the agency.\n\n             PoliCies and procedures that are based on risk assessments, cost\xc2\xad\n             effectively reduce information security risks to an acceptable level, and\n             ensure that information security is addressed throughout the life cycle of\n             each agency information system.\n\n        Recommendation\n        We recommend EAC management develop and implement information security\n        policies for EAC. Where GSA policies are used, distribute these policies so\n        employees are aware of their responsibilities and obligations.\n\n\n\n\n                                         18\n\x0c        EAC Management\'s Response\n        Currently, EAC has procured a contractor to assist with the agency\'s strategies to\n        become compliant with OMS A-130, NIST special Publication 800-18 and\n        FISMA. These measures include completion of a certification and accreditation\n        of support systems, System Security Plans and Practices and procedural guides\n        and documentation that will address the following issues noted in the condition\n        above:\n\n        \xe2\x80\xa2\t    Periodic assessments of risks\n        \xe2\x80\xa2\t    Policies and procedures that are based on risk assessments\n        \xe2\x80\xa2\t    Periodic testing and evaluation of the effectiveness of information security\n              policies, procedures, practices, and security controls\n        \xe2\x80\xa2\t    A process for planning, implementing, evaluating, and documenting\n              remedial actions to address any deficiencies in the information security\n              policies, procedures, and practices of the agency\n        \xe2\x80\xa2\t    Procedures for detecting, reporting, and responding to security incidents\n        \xe2\x80\xa2\t    Plans and procedures to ensure continuity of operations\n        \xe2\x80\xa2\t    Subordinate plans for providing adequate information security for Support\n              systems\n\n        Though EAC\'s process is informal considering the lack of documentation and\n        procedural guides, a contingency plan exists for GSA systems which include\n        EAC. As a result, EAC would be effectively operational in the event of a minor or\n        major disaster. EAC currently h~s a draft of recommendations for a COOP plan\n        which will be addressed during the agencies efforts to be in compliance with\n        OMS Circular A-130, NIST special Publication 800-18 and FISMA.\n\n        Additionally, EAC is in the process of having a contractor assist with the design\n        construction and implementation of policies to address personally identifiable\n        information.\n\n        In the event of a security incident, EAC follows GSA\'s CIO-IT Security-01-02 in\n        the Handling IT Security Incidents Procedural Guide.\n\n\nFY08-07 A formal incident response capability has not been established.\n\n        EAC has not established a formal incident response capability. Specifically,\n        \xe2\x80\xa2 \t Formal incident response procedures that clearly define the roles and\n            responsibilities of key parties and users have not been developed;\n        \xe2\x80\xa2 \t A formal incident response team has not been established; and\n        \xe2\x80\xa2 \t EAC does not provide incident response training to users.\n\n        We were informed that EAC currently reports all security incidents to GSA and\n        has not developed its own incident response capability. Further, we inspected\n        the EAC security awareness training documentation and noted that EAC system\n        users are not provided training on their incident response responsibilities.\n\n        NIST Special Publication 800-61 Computer Security Incident Handling Guide\n        requires agencies to establish an incident response capability to include among\n\n\n                                         19\n\x0c       other things, incident response procedures, incident response team and incident\n       response training.\n\n       Recommendations\n       We recommend EAC management:\n\n        \xe2\x80\xa2\t   Implement a formal incident response policy and procedures in line with\n             NIST 800-61\n        \xe2\x80\xa2\t   Establish a formal incident response team with defined roles and\n             responsibilities.\n        \xe2\x80\xa2\t   Update the security awareness training documentation to include incident\n             response training.\n\n        EAC Management\'s Response\n        Currently, EAC has procured a contractor to assist with the agency\'s strategies to\n        meet compliancy for OMS A-130, NIST special Publication 800-18 and FISMA.\n        This will include completion of a C&A of support systems, System Security Plans\n        and Practices and procedural guides and documentation that will address the\n        following issues noted in the condition above:\n\n        \xe2\x80\xa2\t    Periodic assessments of risks\n        \xe2\x80\xa2\t    Policies and procedures that are based on risk assessments\n        \xe2\x80\xa2\t    Periodic testing and evaluation of the effectiveness of information security\n              policies, procedures, practices, and security controls\n        \xe2\x80\xa2\t    A process for planning, implementing, evaluating, and documenting\n              remedial actions to address any deficiencies in the information security\n              policies, procedures, and practices of the agency\n        \xe2\x80\xa2\t    Procedures for detecting, reporting, and responding to security incidents\n        \xe2\x80\xa2\t    Plans and procedures to ensure continuity of operations\n        \xe2\x80\xa2\t    Subordinate plans for providing adequate information security for Support\n              systems\n\n        Though EAC\'s process is informal by not having documentation and procedural\n        guides, a contingency plan exists for GSA systems which include EAC. As a\n        result, EAC would be effectively operational in the event of a minor or major\n        disaster. EAC currently has a draft of recommendations for a COOP plan which\n        will be addressed during the agencies efforts to be in compliance with OMS\n        Circular A-130, NIST special Publication 800-18 and FISMA.\n\n        In the event of a security incident, EAC follows GSA\'s CIO-IT Security-01-02 in\n        the Handling IT Security Incidents Procedural Guide.\n\n\nFY08-08 A Continuity of Operations Plan (COOP), Disaster Recovery Plan (DRP) or\n        Business Impact Assessment (BIA) has not been developed.\n\n        NIST Special Publication 800-34 requires agencies to conduct business impact\n        analysis to identify and prioritize critical IT systems and components prior to\n        developing a contingency plan.\n\n\n\n\n                                         20\n\x0cNIST Special Publication 800-53 Rev 2 Information Security (CP-2) states: "The\norganization develops and implements a contingency plan for the information\nsystem addressing contingency roles, responsibilities, assigned individuals with\ncontact information, and activities associated with restoring the system after a\ndisruption or failure. Designated officials within the organization review and\napprove the contingency plan and distribute copies of the plan to key\ncontingency personnel".\n\nPresidential Decision Directive 67 (PDD 67) among other things requires federal\nagencies to develop Continuity of Operations Plans for essential operations.\n\nRecommendations\nWe recommend EAC management:\n\n\xe2\x80\xa2 \t Conduct and document a formal business impact analysis to identify and\n    prioritize critical IT systems and components.\n\xe2\x80\xa2 \t Finalize and approve the draft contingency and continuity of operations plan\n    and ensure that the plan is tested periodically.\n\nEAC Management\'s Response\nCurrently, EAC has procured a contractor to assist with the agency\'s strategies to\nbecome compliant with OMS A-130, NIST special Publication 800-18 and\nFISMA. This will include completion of a C&A of support systems, System\nSecurity Plans and Practices and procedural guides and documentation that will\naddress the following issues noted in the condition above:\n\n\xe2\x80\xa2\t    Periodic assessments of risks\n\xe2\x80\xa2\t    Policies and procedures that are based on risk assessments\n\xe2\x80\xa2\t    Periodic testing and evaluation of the effectiveness of information security\n      policies, procedures, practices, and security controls\n\xe2\x80\xa2\t    A process for planning, implementing, evaluating, and documenting\n      remedial actions to address any deficiencies in the information security\n      policies, procedures, and practices of the agency\n\xe2\x80\xa2\t    Procedures for detecting, reporting, and responding to security incidents\n\xe2\x80\xa2\t    Plans and procedures to ensure continuity of operations\n\xe2\x80\xa2\t    Subordinate plans for providing adequate information security for Support\n      systems\n\nThough EAC\'s process is informal by not having documentation and procedural\nguides, a contingency plan exists for GSA systems which include EAC. As a\nresult, EAC would be effectively operational in the event of a minor or major\ndisaster. EAC currently has a draft of recommendations for a COOP plan which\nwill be addressed during the agencies efforts to be in compliance with OMS\nCircular A-130, NIST special Publication 800-18 and FISMA.\n\nIn the event of a security incident, EAC follows GSA\'s CIO-IT Security-01-02 in\nthe Handling IT Security Incidents Procedural Guide.\n\n\n\n\n                                 21\n\x0cFY08-9 \t EAC does not have an inventory of all the systems/applications used by\n         GSA to support the operations of EAC, or formally identified major\n         applications and general support systems. (Re-Issued)\n\n        Federal Information Security guidelines recommend that each organization\n        should develop, document and maintain a current, baseline configuration of the\n        information system and an inventory of the system\'s constituent components\n        even if these systems are not operated by the organization. We reviewed the\n        EAC\'s organizational structure and held discussions with management to identify\n        EAC\'s IT infrastructure as well as identify critical systems and platforms that\n        support their operations. EAC does not own or operate any IT systems or\n        platforms. They rely on GSA which provides administrative, financial\n        management and IT related support services for EAC. GSA owns and operates\n        the systems that support EAC.\n\n        United States Code (USC) Chapter 35 of title 44 Subchapter 11/ \xc2\xa7 3505 (c) states\n        that:\n        (1) The head of each agency shall develop and maintain \tan inventory of major\n            information systems (including major national security systems) operated by\n            or under the control of such agency.\n        (2) The identification of information systems in an inventory under this subsection\n            shall include an identification of the interfaces between each such system\n            and all other systems or networks, including those not operated by or under\n            the control of the agency.\n        (3) Such inventory shall be:\n            (a) Updated at least annually.\n            (b) Made available to the Comptroller General.\n            (c) Used to support information resources management, including:\n\n        1. Preparation and maintenance of the inventory of information resources under\n        section 3506(b) (4). ii. IT planning, budgeting, acquisition and management.\n\n        Recommendation\n        Obtain from their service provider, GSA, an inventory of systems that support\n        EAC\'s operations. They should further obtain from GSA, a list of systems\n        covered byJhe 2008 FISMA review and reconcile this with the list of EAC support\n        systems to ensure EAC systems are adequately covered by the service\n        provider\'s FISMA review.\n\n        EAC Management\'s Response\n        Currently, EAC has procured a contractor to assist with the Agency\'s strategies\n        to meet compliancy for OMB A-130, NIST special Publication 800-18 and FISMA.\n        This will include completion of a C&A of support systems, System Security Plans\n        and Practices and procedural guides and documentation.\n\n        EAC is currently waiting for a reply from GSA on which systems are identified in\n        the FISMA 2008 review.\n\n\n\n\n                                         22 \n\n\x0cVII. ACRONYMS\n\n        CFO       Chief Financial Officer\n        FIPS      Federal Information Processing Standard\n        FISCAM    Federal Information System Control Audit Manual\n        FISMA     Federal Information Security Management Act of 2002\n        FY        Fiscal Year\n        GAO       Government Accountability Office\n        GSA       General Services Administration\n         IG       Inspector General\n         IT       Information Technology\n         CG       Clifton Gunderson LLP\n         LAN      Local Area Network\n         NIST     National Institute of Standards and Technology\n         EAC      Election Assistance Commission\n         OIG      Office of the Inspector General\n         OMB      Office of Management and Budget\n         PI!      Personally Identifiable Information\n         POA&Ms   Plans of Action and Milestones\n         SP       Special Publication\n\n\n\n\n                                       23 \n\n\x0c                      The OIG audit mission is to provide timely, high-quality\n                      professional products and services that are useful to ~IG\'s clients.\n                      OIG seeks to provide value through its work, which is designed to\n                      enhance the economy, efficiency, and effectiveness in EAC\nOIG.s Mission         operations so they work better and cost less in the context of\n                      today\'s declining resources. OIG also seeks to detect and prevent\n                      fraud, waste, abuse, and mismanagement in these programs and\n                      operations. Products and services include traditional financial and\n                      performance audits, contract and grant audits, information systems\n                      audits, and evaluations.\n\n\n                      Copies of OIG reports can be requested bye-mail.\n                      (eacoig@eac.gov).\n\n                      Mail orders should be sent to:\nObtaining\nCopies of             U.S. Election Assistance Commission\n                      Office of Inspector General\nOIG Reports\n                      1225 New York Ave. NW - Suite 1100\n                      Washington, DC 20005\n\n                      To order by phone: Voice:    (202) 566-3100\n                                          Fax:     (202) 566-0957\n\n\nTo Report Fraud,      By Mail ~ \t U.S. Election Assistance Commission\nWaste and Abuse                   Office of Inspector General\nInvolving the V.S.                1225 New York Ave. NW - Suite 1100\nElection Assistance               Washington, DC 20005\nCommission or Help\n                      E-mail:    eacoig@eac.gov\nAmerica Vote Act\nFunds                 OIG Hotline: 866-552-0004 (toll free)\n\n                      FAX: 202-566-0957\n\x0c'